Support for Vault Agent

[mattfirtion]

Feature Request

Allow CASC to use Vault Agent to retrieve secrets. The current setup requires that some sort of credential be passed into the config file. With agent running, the agent will handle any authentication and authorization with Vault and sensitive values wouldn't need to be placed in the config. This also has an impact on roles that might have shorter TTLs on secret ids or token. Running Vault in agent mode can renew tokens once the TTL has expired.

[jetersen]

Not sure how vault agent works, how would Jenkins get secrets from vault agent?

[jetersen]

Is there any existing java library that can serialize data from vault agent?

[mattfirtion]

Here's Hashicorp's overview on agent mode - https://www.vaultproject.io/docs/agent/index.html
The agent acts as a proxy between the client and server. With the agent running, at the command line I don't need to first run vault login. I only have to specify the VAULT_ADDR of where the agent is listening. The way I'd envision this working with Jenkins is no authentication options are passed in or a flag to allow no authentication.

[jetersen]

But how would secrets be passed between agent and Jenkins?

[jetersen]

Can we use existing interface against vault agent? IE. Cli and rest?

[HerrmannHinz]

there is a REST API:
https://www.vaultproject.io/api/overview.html

The Vault HTTP API gives you full access to Vault via HTTP. Every aspect of Vault can be controlled via this API. The Vault CLI uses the HTTP API to access Vault.

[jetersen]

Just watched up on vault agent mode it's basically the same but acts as a proxy between your application and provides some nice features.

[jetersen]

So if CASC_VAULT_AGENT_ADDR is provided it should skip authentication, how does that sound? @mattfirtion @HerrmannHinz ?

[jetersen]

@mattfirtion the library we use assumes x-vault-token is mandatory so currently, this is not supported.

I'll see if I can send a PR their way to add support for vault agent.

[jetersen]

Working PR BetterCloud/vault-java-driver#184 hopefully we can get this into a release in a reasonable timeframe.

[jetersen]

Care to review jenkinsci/hashicorp-vault-plugin#47 would be greatly appreciated @mattfirtion @HerrmannHinz